Military, corporate cyberwarriors train against exploits with net war simulator.

In August, a collection of military, government, and nongovernmental humanitarian organizations from 22 countries in the Pacific gathered in Singapore for Pacific Endeavor 2012, a joint exercise to test how quickly and how well they could communicate in the face of a disaster. While the simulated mission was peaceful, some of the participants were put through a separate, more hostile test—Cyber Endeavor, a full-on "live fire" cyberwarfare exercise focused on "protecting information in a collaborative environment, "with both innocent bystanders and hostile attackers."

The battle was fought on a closed "cyber range," a network designed to put network security teams through their paces and expose them to the most up-to-date exploits and attack methods available to hackers in the real world. Using BreakingPoint FireStorm network security testing appliances from Ixia, two teams created test traffic against the "Blue Team" defenders in the exercise. A "Green" team created normal, benign application traffic against the network's infrastructure, and a "Red" team that staged attacks drawn from a library of up-to-date vulnerabilities and exploits, using simulated botnets, real malware, and malformed packets designed to stress network infrastructure.

The Defense Department has invested heavily in cyber-ranges, including DARPA's multimillion dollar effort to build a National Cyber Range, a project now in the process of being transferred to U.S. Cyber Command. The NCR's goal was to create a secure, self-contained network facility that could be set up to emulate both internal Defense Department networks and commercial networks for evaluating and certifying cyberdefense tools. And the NCR isn't alone—there are several other cyber-range facilities operated by other parts of the DOD.

The problem, of course, is that those facilities are isolated and physically locked down—and expensive to operate. They usually require building a load of virtual machines to generate attacks and application traffic, and it takes significant work to create automated traffic that both takes advantage of emerging threats and doesn't give itself away by being too "canned." And if an organization wants to train on the NCR, they'll need to send their cyber-security team to it—and get proper clearances.

Ixia's BreakingPoint technology has made it possible for the range to come to the team, by packaging it into an appliance-based service. It provides a stream of threat and vulnerability intelligence to update systems so that they can keep defenders on their toes with threats that are current. That obviates the need to maintain a full-time threat intelligence modeling capability of their own. Military commands such as the US Pacific Command and European Command have used the platform for other joint exercises because of its portability and the fact that it doesn't require clearances for other militaries and non-governmental agencies to use.

The platform is also used by corporate customers, including telecom providers and banks. "Telcos and even most enterprises will have these labs built out that they can do testing in," said Scott Register, Ixia's Director of Market Strategy for Security & Applications. "They'll buy our equipment and services to test their infrastructure—it gives them the constant ability to harden themselves to new attacks."

The BreakingPoint FireStorm hardware can encapsulate the systems needed to generate the network environment within which the attacks take place into a single box. FireStorm uses specialized "network processors" to generate traffic rather than individual client virtual machines, creating essentially an entire networked domain within a box that can be put in a network rack—or even placed on a conference room table. The FireStorm appliance, a 4U rack-mountable system that uses specialized network processors and field-programmable gate arrays to generate up to 120Gbps of network traffic. A new, more portable version, the FireStorm One, generates up to 40Gbps of application traffic and attacks—and up to 1 million TCP sessions per second.

Enlarge/ The team running a FireStorm-based cyber-range can select sets of application simulators to load through the appliance's web console.

The traffic that comes out of a FireStorm appliance isn't just a playback of a packet capture or other canned threats. "We are creating actual application traffic and live attacks (with FireStorm)," said Ixia's Senior Director of Marketing Kyle Flaherty. "There's real stuff going over the wire." The application traffic includes over 160 different protocols for consumer and enterprise applications, and client simulators can be set up to connect to actual application servers as part of a test.

Enlarge/ The drop-down menu for selecting "strikes," or attacks, to be launched within the test network by FireStorm.

The attacks used are drawn from a library of vulnerability and malware profiles updated every two weeks through Ixia's Actionable and Threat Intelligence service. "The last ATI package, which we shipped out this week, included 28 new 'strikes' (Ixia's term for attack packages)," Flaherty said. By using a web-based interface to the appliances, an attack team can pick a set of attack strategies and let them loose.

Promoted Comments

I was in a demonstration a couple weeks ago with this device. The CVE database it uses for it's strike list has less than half the CVE's documented by NIST. Which is rather disappointing. Considering they update the library every too weeks. It was also disappointing to hear that they still didn't have items in their library that have been know about since earlier in 2012 or even later than that.

I was in a demonstration a couple weeks ago with this device. The CVE database it uses for it's strike list has less than half the CVE's documented by NIST. Which is rather disappointing. Considering they update the library every too weeks. It was also disappointing to hear that they still didn't have items in their library that have been know about since earlier in 2012 or even later than that.

From the way I read it, this isn't meant to simulate and test every exploit. It provides a way to train and test people. Having every exploit for that purpose would be more overwhelming than helpful.

21 Reader Comments

"Telcos and even most enterprises will have these labs built out that they can do testing in," said Scott Register, Ixia's Director of Market Strategy for Security & Applications.

[citation needed]

Who are these enterprises, and how exactly do a handful constitute "most"? Scott is either lying, or the question was not related to cyber ranges, but to Ixia's test suites. Everyone has a few copies of that, but there's a huge difference than two endpoints and a cyber range.

"Telcos and even most enterprises will have these labs built out that they can do testing in," said Scott Register, Ixia's Director of Market Strategy for Security & Applications.

[citation needed]

Who are these enterprises, and how exactly do a handful constitute "most"? Scott is either lying, or the question was not related to cyber ranges, but to Ixia's test suites. Everyone has a few copies of that, but there's a huge difference than two endpoints and a cyber range.

He was talking about testbeds that companies use to test software and infrastructure before deployment, and was suggesting it wa easy for an Ixia test suite to be hooked into one for the purposes of stress testing and training.

That was exactly my first thought! I've been doing this for years now locally with much less simulated traffic. I wonder how much these cost along with the support? I also dread something like this, fully up to date, getting into the wrong hands. Serious weaponization issues here.

He was talking about testbeds that companies use to test software and infrastructure before deployment, and was suggesting it wa easy for an Ixia test suite to be hooked into one for the purposes of stress testing and training.

I suggest the way it is written implies that he was saying it most telcos and enterprises have these live wire (c'mon, it's a thousand times better than live fire!) cyber range setups. I might take slight issue with the idea that it's easy to integrate, but that's likely due to experience with people who think that installing a client on your laptop and hitting GO! means it's testing what they want it to test

It seems to me that some people are confused about the term "live fire".

(Hint: it doesn't involve "simulation". Were I to be pedantic, I would point out that nor does it ever stop at the edge of the computer monitor).

They use the term "live fire" in that they are using real exploits against real servers. No actual bullets are used, no.

Just in case my post wasn't clear on this point, my complaint wasn't about you as the reporter - it is rather aimed at the people who have chosen to deprecate the term. Of course you're reporting what they said, I'm just annoyed at terming it "live fire" - even using real exploits, they are not using them against the machines that would be targeted in a real event and I expect the environment contained many differences from the "live" environment (other than the fact that there are no bullets flying around).

I was in a demonstration a couple weeks ago with this device. The CVE database it uses for it's strike list has less than half the CVE's documented by NIST. Which is rather disappointing. Considering they update the library every too weeks. It was also disappointing to hear that they still didn't have items in their library that have been know about since earlier in 2012 or even later than that.

It seems to me that some people are confused about the term "live fire".

(Hint: it doesn't involve "simulation". Were I to be pedantic, I would point out that nor does it ever stop at the edge of the computer monitor).

They use the term "live fire" in that they are using real exploits against real servers. No actual bullets are used, no.

Just in case my post wasn't clear on this point, my complaint wasn't about you as the reporter - it is rather aimed at the people who have chosen to deprecate the term. Of course you're reporting what they said, I'm just annoyed at terming it "live fire" - even using real exploits, they are not using them against the machines that would be targeted in a real event and I expect the environment contained many differences from the "live" environment (other than the fact that there are no bullets flying around).

"Live fire" is used correctly here. When the military does "live fire" exercises, they aren't shooting them at real people either...

It simply means that they are using real ammo - and if something goes wrong, someone could get hurt or killed. The same would appear to apply here. It's a controlled environment, but they're using real "ammo" in the exercise. I assume if something went wrong (like connecting the system to a real network), there could be damage.

I was in a demonstration a couple weeks ago with this device. The CVE database it uses for it's strike list has less than half the CVE's documented by NIST. Which is rather disappointing. Considering they update the library every too weeks. It was also disappointing to hear that they still didn't have items in their library that have been know about since earlier in 2012 or even later than that.

From the way I read it, this isn't meant to simulate and test every exploit. It provides a way to train and test people. Having every exploit for that purpose would be more overwhelming than helpful.

Sounds like an infomercial for one of the numerous snake-oil sellers that want a piece of that sweet sweet cyber-war pie.

The traffic coming from a real and dangerous attacker is small, stealth and multiform.Canned DDoS simulators and garbage traffic generator are just the US 2.0 version of the Magilot line, a way to be ready to defend against attacks of yesterday, while you're totally unprepared to defeat the real attacks.It's a way for higher ups in the military hierarchy to think they have a handle on the problem, while in the meantime thousands of SCADA systems running on Windows 95 are deployed to control critical infrastructures.

So was this about the exercise? the way it was written is basicaly an advertisement for breakingpoint. Which frankly is heading down hill Since Ixia bought them.

Honestly that's exactly what I thought too. This article really reads like paid-for advertisement. The very least would be to mention vendors similar to Ixia (like Spirent Communications or Mu Dynamics or Shenick or Codenomicon ...).

Sounds like an infomercial for one of the numerous snake-oil sellers that want a piece of that sweet sweet cyber-war pie.

The traffic coming from a real and dangerous attacker is small, stealth and multiform.Canned DDoS simulators and garbage traffic generator are just the US 2.0 version of the Magilot line, a way to be ready to defend against attacks of yesterday, while you're totally unprepared to defeat the real attacks.It's a way for higher ups in the military hierarchy to think they have a handle on the problem, while in the meantime thousands of SCADA systems running on Windows 95 are deployed to control critical infrastructures.

Sounds overcynical to me. Getting practice with developing and implementing responses to the effects (and causes) one can detect in near-realtime, does not preclude aggressive (and parallel) research into detecting new attack vectors and potential mitigation strategies. Expertise is needed in both areas, not just the latter.

I was in a demonstration a couple weeks ago with this device. The CVE database it uses for it's strike list has less than half the CVE's documented by NIST. Which is rather disappointing. Considering they update the library every too weeks. It was also disappointing to hear that they still didn't have items in their library that have been know about since earlier in 2012 or even later than that.

From the way I read it, this isn't meant to simulate and test every exploit. It provides a way to train and test people. Having every exploit for that purpose would be more overwhelming than helpful.

That is the way it reads. However real world sales pitches ne real world applications. These government entities appear to have used it as a rudimentary training utility. IMHO anything that tries to sell itself as something to be used for ""live fire" cyberwarfare exercise" should have a far more extensive library of attacks than what it actually has. Having a library that contains 1/2 of the CVE's documented by NIST isn't fortune 500 ready. If your smaller than that, you'll probably have a hard time justifying it's ROI. There will come a day when this device will have better capabilities, but today is not that day.

There is a likely overlap in counter-techniques to use. What works for one CVE likely works for another. In addition I believe the point was training? Since it not possible to predict all possible attacks, the focus is likely on how to fight malware. In other words train the process, not the actual steps required for all the know attacks.

Unless you trace-route the SOB back to his laptop while he's on it, "active, live-fire" activity only damages collaterally, not the actual target. Its not going to be possible to give him an Israeli Wake-up call.